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Abstract 

It is well-known that the linear secret-sharing scheme (LSSS) can be constructed from linear 
error-correcting codes (Brickell [1], R.J. McEliece and D.V.Sarwate [2], Cramer, el. ,[3]). The 
theory of linear codes from algebraic-geometric curves (algebraic-geometric (AG) codes or geo- 
metric Goppa code) has been well-developed since the work of V.Goppa and Tsfasman, Vladut, 
and Zink( see [17], [18] and [19]). In this paper the linear secret-sharing scheme from algebraic- 
geometric codes, which are non-threshold schemes for curves of genus greater than 0, are pre- 
sented . We analysis the minimal access structure, d m i n and d c heat ( [8] ) , (strongly) multiplica- 
tivity and the applications in verifiable secret-sharing (VSS) scheme and secure multi-party 
computation (MPC) of this construction([3] and [10-11]). Our construction also offers many ex- 
amples of the self-dually G_F(g)-representable matroids and many examples of new ideal linear 
secret-sharing schemes addressing to the problem of the characterization of the access structures 
for ideal secret-sharing schemes([3] and [9]). The access structures of the linear secret-sharing 
schemes from the codes on elliptic curves are given explicitly. From the work in this paper we 
can see that the algebraic-geometric structure of the underlying algebraic curves is an impor- 
tant resource for secret-sharing, matroid theory, verifiable secret-sharing and secure multi-party 
computation. 

Index Terms — Linear secret-sharing scheme(LSSS), verifiable secret-sharing(VSS), multi- 
party computation, access(adversary) structure, algebraic-geometric code, algebraic curve 

I. Introduction and Preliminaries 

In a secret-sharing scheme among the set of participants P = {P\, P n }, a dealer Pq, not in 
P, has a secret, the dealer distributes the secret among P, that is gives each participant a share 
of secret, in such a way that only the qualified subsets of P can reconstruct the secret from their 
shares. The access structure , T C 2 P , of a secret-sharing scheme is the defined to be the family of 
the qualified subsets of P. The minimum accesss structure minT C 2 P is defined to the be the set 
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of minimum elements in T(here we use the natural order relation S\ < S2 if and only if Si C S2 on 
2 P ). The family of all subsets of P which are not qualified is called the adversary structure ( see [3] 
and 10]). We call a secret-sharing scheme a (k, n)-threshold scheme if the access structure consists 
of the subset of at least k elements in the set P, where the number of elements in the set P is 
exactly n, that is, among the n members any subset of k or more than k members can reconstruct 
the secret. The first secrets-sharing scheme was given independently by Blakley [4] and Shamir 
[5] in 1979, actually they gave threshold secret-sharing scheme. We call a secret-sharing scheme 
perfect if the the unqualified subsets of members to reconstruct the secret have no information 
of the secret. The existence of secret-sharing schemes with arbitrary given access structures was 
proved in [6] and [7]. 

For a secret-sharing scheme, let V be the set of all possible shares (v\, ...,v n ) (Here Vi is the 
share of the participant Pi for i = l,...,n). Then V is a error-correcting code(not necessarily 
linear), let d m i n be the minimum Hamming distance of this error-correcting code V. From the 
error-correcting capability, it is clear that the cheaters can be identified from any share(presented 
by the participants) (y\ , ...,v n ) if there are at most [(d m i n — l]/2] cheaters. In [2] McEliece and Sar- 
wate proved that d m i n = n — k + 1 for Shamir's (k, n)-threshold scheme. K.Okada and K.Kurosawa 
introduced anther parameter d c h ea t for general secret-sharing scheme, as the the number such that 
the correct secret value s can be recovered if there are at most [(d c h ea t — l)/2] cheaters ([8]). It is 
clear d m i n < d c h ea t-, it is proved in [8] that d c h eat = n — max Be ( 2 p -r)\B\, where \B\ is the number 
of the elements in the set B. 

Let K be a finite field. A i^T-linear secret sharing scheme (LSSS) on the set of participants 
P = {P\,...,P n } is defined as a sequences of surjective linear mappings {To, T\, T n }, where 
Tj : E — > Ei, E and Ei are finite dimensional spaces over K(Eq = K). For any x G E, 
{Ti(x), ...,T n (x)} are the shares of of the secret value k = Tq(x). The complexity of the iT-LSSS is 
defined as A(r) = T,f =1 dimK(Ei), when the complexity is n, this LSSS is called ideal. One of the 
main open problem in secrete sharing is the characterization of the access structures of ideal secret 
sharing schemes (see [3] and [9]). 

For an access structure T, Xk(F) is defined to be the minimum of all the values T,f =1 dimK(Ei) 
for K-linear secret sharing schemes with access structure T(see [12-13]). A LSSS is called multi- 
plicative, K-MLSSS if every participant i G P can compute, form his shares ki,k\ of two shared 
secrets k,k' G K, a value q G K such that the product kk' is a linear combination of all the values 
ci, c n . It is called strongly multiplicative if for any subset A such that P — A is not qualified, the 
product kk' can be computed using only values from the participants in A. ^(r) is defined to be 
the minimum of all the values of T^ =l dirriK{Ei) for multiplicative K-linear secret sharing schemes 
with access structure T. For an access structure T on P, it is said that r is Q2 if A[jB 7^ P for 
any A, B G T, T is Q 3 if A U B U C + P for any A,B,C G T. One of the key result in [10] is a 
method to construct, from any LSSS with Q2 access structure T, a multiplicative LSSS with the 
same access structure and double complexity, that is fj,(F) < 2A(r). K-MLSSS and Q2 ,Q% access 
structure are closely related to secure multiparty computations (see [3], [10] and [11]). 

The approach of secret-sharing based on error-correcting codes was studied in [1], [2], [3], [12-15]. 
It is found that actually Shamir's (k, n)-threshold scheme is just the secret-sharing scheme based 
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on the famous Reed-Solomon (RS) code. The error-correcting code based secret-sharing scheme 
is defined as follow. Here we suppose C is a error-correcting codes over the finite field GF(q) 
(where q is a prime power) with code length n + 1 and dimension k, i.e., C is a k dimension sub- 
space of GF(q) n+l The Hamming distance d(C) of this error-correcting code C is defined as follows. 

d(C) = min{wt(v) : v £ C} 
wt(v) = \{i:v = (v ,v 1 , ...,v n ),Vi / 0} 

,where wt{v) is called the Hamming weight of v. Let G = (gij)i<i<k,o<j<n be the generator matrix 
of C, i.e., G is a k x (n + 1) matrix in which k rows of G is a base of the k dimension sub- 
space C of GF{q) n+l . Suppose s is a given secret value of the dealer P$ and the secret is shared 
among P = {Pi,...,P n }, the set of n participants . Let gi = (gu, gki) T be the 1st column of 
G. Chosen a random u = (u\,...,Uk) £ GF(q) k such that s = u T go = Eu^o- The codeword 
c = (co, cat) = uG, it is clear that cq = s is the secret, then the dealer Pq gives the i — th partic- 
ipant Pi the Cj as the share of Pi for i = 1, ...,n. In this secret-sharing scheme the error-correcting 
code C is assumed to be known to every participant and the dealer. For a secret sharing scheme 
form error-correcting codes, suppose that T« : GF{q) k — > GF{q) is defined as T«(x) = x T gi, where 
i = 0, ...,n and gj is the i-th column of the generator matrix of the code C. In this form we see 
that the secret sharing scheme is an ideal GF(q)-LSSS. 

We refer the following Lemma to [12-15]. 

Lemma 1 (see [12-15]). Suppose the dual of C, = {v = (vq, ..,v n ) : Gv = 0} has no code- 
word of Hamming weight 1. In the above secret- sharing scheme based on the error- correcting code C, 

, Pj m ) can reconstruct the secret if and only if there is a codeword v = (1, 0, , v j m , ...0) 
in C 1 - such that Vj. ^ for at least one j, where 1 < j < m. 

The secret reconstruction is as follows, since Gv = 0, gi = — ^JLiVijEip where gh is the h — th 
column of G for h = 1, N. Then s = cq = ugi = — uSJi 1 gi j = —TiJL^i^^ 

For the definition of matroid and the matroid on the set P = {Pi, P n } from a linear [n, k, d] 
code, we refer to [16], it is well-known that the circuits (minimal dependent set) on the matroid from 
a linear code is in one-to-one correspondence of the codewords with minimum Hamming weight d. 
Thus a subset A of P = {Pi, ...,P n } is a minimal qualified subset of the LSSS from linear code C 
if and only if {0} (J A is a circuit in the matroid from C (see [3]). 

We need recall some basic facts about algebraic-geometric codes( see [17], [18] and [19]). Let 
X be an absolutely irreducible, projective and smooth curve defined over GF(q) with genus g, 
D = {Po, ...P n } be a set of GP(g)-rational points of X and G be a GP(g , )-rational divisor satisfy- 
ing supp(G) P|D =, 2#-2 < deg(G) < n + 1. Let L(G) = {/ : (f) + G > 0} is the linear space (over 
GF(q)) of all rational functions with its divisor not smaller than — G and Q(B) = {uj : (u) > B} 
be the linear space of all differentials with their divisors not smaller than B. Then the functional 
AG (algebraic- geometric )code Cl(D,G) € GF(q) n+l and residual AG (algebraic- geometric) code 
C n (D, G) G GF(q) n+1 are defined. C L (D, G) is a [n + 1, k = deg(G) -g + l,d>n + l- deg(G)] 
code over GF(q) and Cn(D,G) is a [n + 1, k = n — deg(G) + g,d > deg(G) — 2g + 2] code 
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over GF(q). We know that the functional code is just the evaluations of functions in L(G) at the 
set D and the residual code is just the residues of differentials in Q(G — D) at the set D (see [17-19]). 

We also know that Cl(D, G) and Csi(D,G) are dual codes. It is known that for a differ- 
ential rj that has poles at Pi,...P n with residue 1 (there always exists such a rj, see[18]) we have 
Cji(D,G) = Cl(D,D — G + (77)), the function / corresponds to the differential frj. This means 
that functional codes and residue code are essentially the same. It is clear that if there exist a 
differential 77 such that G = D - G + (77), then C L (P, G) = C n (P, G) = C L (P, P - G + (77)) is a 
self-dual code over GF(q), in many cases the matroids from AG-codes can be computed explicitly 
from the algebraic-geometric structure of the underlying curves, thus we have many interesting 
examples of self-dually GF^-representable matroids (see section VI below)from this construction. 
For many examples of AG codes, including these self-dual AG-codes, we refer to [17], [18] and [19]. 

II Main Results 

Let X be an absolutely irreducible, projective and smooth curve defined over GF(q) with genus 
g, D = {Pq, ...P n } be a set of GF((/)-rational points of X and G be a GF((/)-rational divisor with 
degree m satisfying supp(G) P|D=, 2g — 2 < m < n + 1. We can have a LSSS on the n participants 
P = {Pi, Pn} from the linear code Cn(D, G), thus we know that the reconstruction of the secret 
is based from its dual code Cl(D,G). For the curve with genus over GF(q), we have exactly 
the same LSSS as Shamir's (k, n)-threshold scheme, since the AG-codes over the curve of genus 
is just the RS codes (see [17-19]). 

The following are the main results of this paper. 

Theorem 1. The LSSS over GF{q) from the code Cn(D, G) has the following properties. 

1 ) This LSSS is ideal; 

2) Any subset A C P satisfying \A\ < n — m is not qualified subset, any subset A C P satisfying 
\A\ > n — m + 2g is qualified. 

Proposition 1. Let X, D,P and G as above. Suppose the genus gofX.is not 0, n > 3 and 

the minimum (Hamming) distance c2(Cl(D,G)) is exactly n + 1 — deg(G) > 2. Then the LSSS 
from the residue code Cn(D,G) is not a threshold secret-sharing scheme. 

Proposition 2. For the LSSS over GF(q) from the code Cl(D,G) we have n — m < d m i n < 
dcheat <n-m + 2g. 

Theorem 2. The LSSS over GF(q) from the code Cn(D,G) has the following properties. 

1 ) This LSSS is multiplicative if m > ^ + 2g; 

2) This LSSS is strongly multiplicative if m > ^ + 2g . 

Let X, D, P and G as above, A is the adversary structure of the LSSS from the residue code 
C$i(D,G). Then we have the following result (for the definitions in the following result we refer 
to [10] and [11]). 
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Theorem 3. For the finite field GF(q) and the adversary structure A as above. 

1) If m > + 2g, then there exists a polynomial complexity error-free VSS (Verifiable Secret- 
Sharing , over GF(q) )protocol in the information-theoretic scenario, secure against any active and 
adaptive A- adversary. 

2) Ifm>?f + 2g, for any arithmetic circuit U over GF{q), then there exists a polynomial com- 
plexity error-free MFC (Multi-party Computation) protocol computing U in the information-theoretic 
scenario, secure against any adaptive and active A-adversary. 

3) If m > ^ + 2g, for any arithmetic circuit U over GF(q), then there exists a polynomial complex- 
ity error-free MFC (Multi-party Computation) protocol computing U in the information-theoretic 
scenario, secure against any adaptive and passive A-adversary. 

Proof of Theorem 1. 1) is clear from the construction. If A is a qualified subset of 
P, then there exists a codeword in Cl(D,G) such that this codeword is not zero at Pq and 
some Pj's in the subset A, and this codeword is zero at P — A (Lemma 1). Thus we have 
\A\ > n + 1 — m — 1 = n — m. On the other hand if A C P and \A\ > n — m + 2g we have 
that dim(L(G - A c ) > deg(G -A c )-g + l>g + l from Riemann-Roch theorem (see [17-20]), 
where A c = P — A. We also know that the linear system (see [20]) defined by the divisor G — A c 
has no base point since deg(G — A c ) > 2g (see [20]). Thus we have one function / € L(G — A c ) 
such that / is not zero at Pq and zero at all points in the set A c , so the codeword in Cl(D, G) 
corresponding to this / is not zero at Pq and not zero at a subset A (or A itself). So A is qualified. 

Proof of Proposition 1. If the LSSS from Cn(D, G) is a threshold scheme, it is a (n — m,m) 
scheme since cZ(Cl(D, G)) = n + 1 — m. This imply that any subset A of P with cardinality \A\ = m 
is linearly equivalent (A is considered as a divisor, see [20] for the definition of linear equivalence), 
since n > 3 and n — m> 1, we know that any two points in P are linear equivalent, so dim{L(Pi)) > 
2 for any point Pj G P. From Riemann-Roch Theorem dim(L(K — Pi)) = dim(L(K)) = g, where 
K is a canonical divisor of the curve X. If g = 1, this is obviously not true since K = in this 
case. If g > 2, it is known that the canonical linear system has no base point. This is a contradiction. 

Proof of Proposition 2. It is clear d m i n is the minimum distance of the code Cl(P, G), so 
dmin > n — m. On the other hand the minimum Hamming weight of Cn(D, G) is at least m—2g+2, 
thus max Be2 P-r\B\ <m — 2g. Thus d c h ea t = n — max Be2 p^r\B\ < n — m + 2g. The conclusion is 
proved. 

Proof of Theorem 2. Suppose to secret are distributed, we know that the shares of the 
participant P, are just the function values fi(Pi), f2(Pi), where is a function in L(D — G + 
(77)) (corresponding to fn in f2(G — D)). The secrets are just the function values /i(Po), /2OP0) 
at P . Here we have /1/2 G L(2(D - G + (n))). If 2g - 2 < deg{2(D - G + (n))) < n, 
Cn(D, 2(D — G + (77))) is the (non-zero) dual code of C L (D, 2(D - G + (77))). Thus there is 
a non-zero codeword in Cn(D,2(D — G + (77))). On the other hand if the linear system corre- 
sponding to fi(2(D — G + (r/))) (corresponding to L(2G — D — (77))) has no base point ( it is valid if 
deg(2G — D — (7/)) > 2g, see [20]), we can make this codeword in Cfj(D, 2(D — G + (77))) not zero 
at the position Po. Thus /i(Po)/2(-fb) is a linear combination of the /i(Pi)/2(Pl), fi{Pn)f2{Pn)- 
The conclusion of 1) is proved. 
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For the conclusion 2), we only need to prove that the linear system corresponding to L(2G — 
D — (77) — H) has no base point for any H a unqualified subset of P. From Theorem 1 deg(H) < 
n — m + 2g. Thus the conclusion of 2) is true if deg(2G — D — (77) — H) > 2g. The conclusion of 
2) is proved. 

Proof of Theorem 3. From Theorem 1 we know that each subset H of P in the adversary 
structure has at most n — m + 2g — 1 elements. The adversary structure is Q2 if m > ^ + 2g and Q3 
if m > + 2g. Then the conclusions of Theorem 3 follow from Theorem 2 and the main results 
in [10] directly. 

We should note that the parameters m can be chosen quite flexibly as in the theory of AG- 
codes( see [17-19]). 

III An Asymptotic Result. 

For any given finite field GF(q 2 ) where q is a prime power, it is known there exists a family of 
smooth projective curves {Xt}^!^,...) defined over GF(q 2 ) with N' t rational points(over GF(q 2 )) 

and genus gt such that lim^ = q — 1 (see f.g. [21]), the family of curves over GF{q 2 ) attaining 
the Drinfeld-Vladut bound (see [18-19]). This family of curves is important for the existence of the 
family of AG-codes exceeding the Gilbert- Varshamov bound. By choosing m suitably we can have 
a similar asymptotic result for the LSSS from AG-codes. 

Corollary 1. For any given finite field GF(q 2 ) with q 2 (q > 11 ) elements, there exists a family 
of natural numbers {N t }( t =i,2,...) such that {A^}( t=12i ...) go to infinity, a family of access structures 
{T t } on the set of N t elements with the property that any subset less than k\ elements is not in T t 
and any subset more than k 2 elements is in T t . We can construct 

1) ideal GF(q 2 )-LSSS with the access structure Tt; 

2) VSS over GF(q 2 ) secure against any adaptive and active -adversary structures (T£ consisting 
of subsets not in T t ); 

3) MPC (computing any arithmetic circuit over GF(q 2 )) secure against any adaptive and active 
Vj: -adversary. 

Moreover the parameters (fc t ,kf , Nt) can be chosen satisfying linij^ = R\ > and lim-^ = R2 = 
R\ + > for arbitrary given R\ G (0, ^ — ^y) . 

This result follows from the main result in [21] and Theorem 1,2,3 above directly. 

IV LSSS from Elliptic Curves 

We need to recall the following result in [22-23]. 

Theorem 4(see [22]). 1) Let E be an elliptic curve over GF(q) with the group of GF{q)- 
rational points E(GF(q)). Then E{GF{q)) is isomorphic to Z ni Z n2 , where n\ is a divisor of 
q — 1 and 712 

2) If E is super singular, then E{GF{q)) is either 
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a) cyclic; 

b) or Z 2 Zg+i; 

2 

c) orZ^^Z^i; 

d) or Z^ +1 @Z^ +1 . 

In this section and the section VI we analysis the access structure of the LSSS from the elliptic 
curves and the self-dually GP(g)-representable matroid from the AG-codes on elliptic curves. 

For any given elliptic curve E over GF(q), from the above Theorem let D' = {0, g±, ...gH-i} be a 
subgroup of E(GF(q)) which is of order //(Here us the zero element of the group). 0, gi, ...,gn~i 
correspond to the rational points O, Pi,P 2 , Ph-i of E. In the construction of section II, we take 
G = mO, D = {Pi, ...,Ph-i} and P = {P 2 , ...,Ph-i}- We have the following result. 

Theorem 5. a) Let A = {P^, ...,Pi m } be a subset of P with m elements, A c is a minimal 
qualified subset for the LSSS from Cn(D, G) if and only if g^ + ... + gi m = in E(GF(q)); 

b) Let A = {P^, ...,Pj m _ 1 } be a subset o/P with m — 1 elements, A c is a minimal qualified subset 
for the LSSS from Cn(D,G) if and only if g^ + ... + gi m _ 1 = in E(GF{q)) or there exists a 
j £ {n, ...,i m -i} such that g h + ... + g im _ 1 + gj = in E(GF(q)); 

c) Any subset of P with at least H — m + 2 elements is qualified. 

Proof. We know that for any t points Wi, W t in E(GF{q)) the divisor W\ + ... + W t — tO 
is linear equivalent to the divisor W — O, where W is the group sum of W\, Wt in the group 
E(GF(q)). From the proof of Theorem 1, {Pi x , Pi m } c is a qualified subset (therefor minimal 
qualified subset) if there exist a function / G L(G) such that /(PiJ = ... = f(Pi m ) = 0, this means 
that the divisor P^ + ... + Pj m is linearly equivalent to G = mO. The conclusion of 1) is proved. 

From the proof of Theorem 1, {P^, Pi m l } c is a qualified subset if there exist a function 
/ £ L(G) such that /(Pi x ) = ... = /(-Pi m _i) = 0, this means that the divisor P^ + ... + P« m _ 1 + B is 
linearly equivalent to G = mO for some effective divisor B. It is clear that deg(B) = 1 and B is a 
GP(g)-rational point in E. From the group structure of E{GF{q)), B is in D'. On the other hand 
we note that B ^ Pq, so B is O or a point in P. The conclusion of 1) is proved. The conclusion of 
3) follows from Theorem 1 directly. 

Example 1. Let E be the elliptic curve y 2 = x 3 + 5x+4 defined over GF(7). Then E(GF(7)) is 
a cyclic group of order 10 with O the point at infinity and Pq = (3, 2), Pi = (2, 6), P 2 = (4, 2), P3 = 
(0,5) P 4 = (5,0),P 5 = (0,2),P 6 = (4,5),P 7 = (2, 1),P 8 = (3,5). From an easy computation we 
know that Pq is a generator of E(GF(7)) and p is (i + l)Po (in the group operation of E(GF(7)).) 
We take G = 30, D = {P , Pi, P 8 }, then the access structure of the ideal GP(7)-LSSS from 
Cn(D, G) are the following subsets of P = {Pi, ...,Pg}. 

1) All subsets of P with 7 elements and the set P; 

2) The following 10 subsets of 6 elements {Pi, P 3 } c {Pi, P 5 } c ,{Pi, P 7 } c ,{Pi, P 8 } c {P 2 , P 3 } C ,{P 2 , P 6 } c , 
{P3,P 5 } C ,{P3,P 7 } C ,{P5,P 6 } C ,{P 5 ,P 7 } C are the minimal qualified subset; 

3) The following 5 subsets with 5 elements {Pi, P 2 , P 4 } C ,{P 2 , P 7 , P 8 } C ,{P 3 , P 6 , Ps} c , {P4,P5,Ps} c , 
{P4,P6,P 7 } C are the minimal qualified subset. 
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Example 2. Let E be the elliptic curve y 2 + y = x 3 defined over GF(4). This is the Hermi- 
tian curve over GP(4), it has 9 rational points and E(GF(4)) is isomorphic to Z% 0-^3. We take 
G = 30, where O is the zero element in the group E{GF(4)). Let Pjj be the rational point on E 
corresponding to in Z 3 ®Z 3 . D = {P 10 , P i, P22}, P = {P01, -, P^}- 
Then the qualified subsets of the ideal LSSS from Cfj(D, G) are as follows. 

1) The minimal qualified subsets of 4 elements are {-P2O) P2I; Po2} c ; {Po:u P2O) P22} c ) {Pn ) Pi2 5 P2o} c - 

2) The minimal qualified subsets of 5 elements are {Poi, Po2} c ,{Pn, P22} c ,{Pu, P2i} c - 

3) The subsets of P of 6 elements and the set P are qualified. 

V LSSS from Klein Quartic 

Klein quartic is the genus 3 curve x 3 y + y 3 z + z 3 x = ( in the projective plane) defined 
over GF(8). It is well-known there are 24 rational points (over GF(8), see [23]). It is clear that 
Qi = (1 : : 0), Q2 = (0 : 1 : 0), Q3 = (0 : : 1) are 3 rational points on X. The line Lq : y = 
intersects X at 3Qi + Q3 (count with multiplicity, see [20]). The line L ai : y = ctiX, where a±, a-j 
are 7 non-zero elements of GF(8), intersects X at Q3 and other 3 rational points. Set P be the 
set of these 21 rational points, G = 3Q\ + Q3 and D = {Q2} U P- We consider the LSSS from the 
residue code Cn(D, G). 

In this case though deg{G) = 2g — 2, Cl(D, G) (dimension 3) and Cn(D, G)( dimension 19) 
are dual codes(see [19]). 

It should be noted that the line passing through any two distinct points in P have to pass the 
other 2 points in the set P(see [23]). 

Proposition 3. The minimal qualified subset of the LSSS from Cn(D,G) are the subsets of 
P of the form {Pi,P2,P3j- c , where Pi,P2,P 3 and Q3 are on the line L ai for some i G {1,,...,7} ; 
or {P{, P2, P 3 , P' A } C for some 4 points in P which are on one line. 

Proof. From Riemann-Roch Theorem dim(L(G)) = 3, so {x,y,z} are the base. So every 
function in L(G) is of the form ax+b v+ cz m xhe subset A c of P is qualified if and only if there exists 
one / € L(G) such that / is zero on A, the conclusion follows directly. 

VI Self Dually GF(q) Representable Matroids from AG-codes 

For X, D,G as in section 2, if there exist a differential n on X such that D — G + (n) = G 
then the matroid from the code Cl(D,G) is self-dully GP(g)-representable. In many cases from 
algebraic geometry the matroid of the corresponding AG-codes Cfj(D,G) = Cl(D,G) can be 
calculated. This offers many examples of new self-dually representable matroids (see [3] for the 
background) . 

Let E be an elliptic curve defined over GF(q), it is known that the canonical divisor of E is 
zero, so the condition that there exists a differential r\ such that D — G + (77) = G is equivalent to 
the condition that D — G and G are linear equivalent. 
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Let D = {gi, ...gii} be a subset of non-zero elements in E(GF(q)), where H is even and the 
group sum of all elements in D is zero in E(GF(q)). gi, ...,gH correspond to the rational points 
Pi, ...,Ph of E. In the construction, we take G = mO, where m = ^ and O corresponds to the 
zero element of E(GF(q), D = {Pi, Pr}- Here it is easy to know that D (as a divisor) is linear 
equivalent to HO. So we know that D — G is linear equivalent to G. We have the following result. 

Theorem 6. a) Let A = {P« 15 Pi m } be a subset o/D with m elements, A c is a circuit of the 
matroid defined by Cn(D, G) = Cl(D, G) if and only if g^ + ... + gi m = in E{GF{q)); 
b) Let A = {Pjj , Pj m _ 1 } be a subset o/D with m — 1 elements, A c is a circuit of the matroid 
defined by Cn(D, G) = Cl(D, G) if and only if g^ + ... + gi m _ 1 = in E(GF(q)) or there exists 
a non-zero element g £ {E(GF{q)) — D) \J A such that g^ + ... + g% m _ x + g = in E{GF{q)). 

The proof of Theorem 6 is similar to that of Theorem 5. 

Example 3. Let E be the elliptic curve y 2 = x 3 + 5x + 4 defined over GF(7). Then 
E(GF(7)) is a cyclic group of order 10 with O the point at infinity and Po = (3, 2), Pi = 
(2,6),P 2 = (4,2),P 3 = (0,5) P 4 = (5,0),P 5 = (0,2),P 6 = (4,5),P 7 = (2,1),P 8 = (3,5).Set 
D = {Po, Pi, P2, P3, P5, Pq, P7, Pg}, G = 40. It is clear the group sum of all points in D is zero. 
Then the circuits of the self-dually GF(7) representable matroid defined by Cn(D, G) = Ci(D, G) 
are the following subsets of D. 

1) The following 8 subsets of 4 elements {P , Pi, P 2 , P 4 } c , {Po, Pi, P7, PsY, {Po, P2, Pe, PsY, 
{P ,P 3 ,P 5 ,P 8 } C , {Po,P 3 ,P6,P 7 } c , {Pi,P 2 ,P 6 ,P 7 } c , {Pi,P 3 ,P 5 ,P 7 } c , {P2,P 3 ,P 5 ,P 6 } C ; 
3) The following 15 subsets with 5 elements {P ,Pi,P 6 } c , {P ,P 2 ,P 5 } C , {P 2 ,P 7 ,P 8 } C , 
{P 3 ,P 6 ,P 8 } C , {P ,P 5 ,P 7 } C , {Pi,P 5 ,P 6 } c , {Pi,P 3 ,P 8 } c , {P 2 ,P 3 ,P 7 } C , {P ,Pi,P 5 } c , {P ,P 5 ,P 6 } C , 
{P ,P 2 ,P 7 } C , {Pi,P 6 ,P 8 } c , {Pi,P 3 ,P 6 } c , {P 2 ,P 5 ,P 7 } C , {P 3 ,P 7 ,P 8 } C . 

Example 4. Let E be the elliptic curve y 2 + y = x 3 defined over GP(4). This is the Hermi- 
tian curve over GF(4), it has 9 rational points and E(GF(4)) is isomorphic to Z 3 0^ 3 . We take 
G = 40, where O is the zero element in the group E(GF(4)). Let P^ be the rational point on 
E corresponding to in Z 3 ®Z 3 . Let G = 40 and D = {P10, P01, P 22 } be the 8 non-zero 
elements of P(GP(4)). It is clear that D — G and G are linear equivalent. Then the circuits of 
the self-dually GF(4) representable matroid defined by Cn(D,G) = Cl(D,G) are the following 
subsets of D. 

1) The 6 subsets of 4 elements are {P i, P 02 , P10, P 20 } c , {P01, P02, P11, P 22 } c , {P01, P02, P12, P 2 i} c , 

{PlO, P20, Pll, P2 2 } C , {PlO, P20, Pl2, P2l} C , {Pl2, P21, Pll, P22} C ; 

2) The 32 subsets of 5 elements are {P 01 ,P W , P 22 } c , {P01, P11, P 2 i} c , {P01, P12, P20Y, {^02, P10, P 2 i} c , 

{P 02 ,Pn,P 20 } C , {P 02 ,Pl 2 ,P 22 } C , {PlO,Pll,Pl2} C , {P 20 ,P21,P22} C , {P02,Pl0,P22} C , {P 1 , P 20 , P 2 2 } C , 
{Pol, PlO, Pll} C , {P)2, Pll, P2l} C , {Pol, P22, P2l} C , {Pol, Pll, Pl2} C , {pD2, Pl2, P2o} C > {Pol, P21, P2o} C , 
{Pol, Pl2, Plo} C , {Pol, PlO, P2l} C , {P)2, P20, P2l} C , {pD2, PlO, Pl2} C , {Pol, Pll, P2o} C , {pD2 , P22 , P20 } C , 
{P02, Pll, Plo} C , {Pol, Pl2, P22} C , {P02, Pl2, p22} C , {pD2, Pll, Pl2} C , {P20, Pl2, Pll} C , {PlO, P22, Pl2} C , 
{PlO, Pll, P2l} C , {PlO, p21, P22Y1 {P2Q, Pl2, P22} C , {P20, P21, Pll} C - 

VII Conclusions 

We have presented the ideal linear secret-sharing scheme from the AG-codes on algebraic curves, 
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which can be thought as a natural generalization of Shamir's (k, n)-threshold scheme(from AG-codes 
on the genus curve, RS codes). These ideal linear secret-sharing schemes are not threshold for 
positive genus curves, which offer many new examples of access structures of ideal LSSS. The gen- 
eral properties of LSSS from AG-codes are proved and their applications in verifiable secret-sharing 
and secure multi-party computation are presented. New examples of self-dually representable ma- 
troids from self-dual AG-codes have been calculated. We demonstrated that the algebraic-geometric 
structure of the underlying curves is an important resource for secret-sharing, multi-party compu- 
tation and the theory of matroids. 

Note. After this paper was completed and submitted, the author was informed by Professor R. 
Cramer of his paper" Algebraic geometric secret sharing schemes and secure computation over small 
fields", in which the idea of using algebraic- geometric codes in secret sharing and secure computa- 
tion was independently developed. 

Acknowledgement. This work is supported by Grant 60542006 and Distinguished Young 
Scholar Grant 10225106 of NNSF, China. 
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